Emission of Audit Messages - dcm4che/dcm4chee-arc-light GitHub Wiki

Content

Overview

DCM4CHEE Archive 5.x supports security auditing for described Audit Trail Profiles.

To help assure healthcare privacy and security in automated systems, usage data need to be collected. These data will be reviewed by administrative staff to verify that healthcare data is being used in accordance with the healthcare provider's data security requirements and to establish accountability for data use. This data collection and review process is called security auditing, and the data itself comprises the audit trail. Audit trails can be used for surveillance purposes to detect when interesting events might be happening that warrant further investigation.

Audit messages can be sent to one or more audit record repositories.

Configuration

Archive's default and sample configurations already contain the below configurations i.e. one Audit Logger and one Audit Record Repository. Repeat the below configurations to send audit messages to multiple audit record repositories.

Using Archive UI

Go to Menu -> Configuration

Archive Configurations

  • Select dcm4chee-arc device.
  • Go to Child Objects -> Network Connections.
    • (Optional) Change host of pre-configured syslog or syslog-tls connections.
  • Go to Extensions -> Device Extension -> Child Objects -> Audit Logger -> Attributes.
    • (Optional) Verify Network Connection Reference reflects changed host.
  • Go to Extensions -> Device Extension -> Archive Device Extension -> Attributes.
    • Set values to the fields :
      Audit Polling Interval
      Audit Aggregate Duration
      Audit Spool Directory
      

Keycloak Configurations

Required only for secured archive, i.e. either or both archive UI and REST services is secured.

  • Select keycloak device.
  • Go to Child Objects -> Network Connections.
    • (Optional) Change host of pre-configured syslog or syslog-tls connections.
  • Go to Extensions -> Device Extension -> Child Objects -> Audit Logger -> Attributes.
    • (Optional) Verify Network Connection Reference reflects changed host.

Logstash Configurations

  • Select logstash device.
  • Go to Child Objects -> Network Connections.
    • (Optional) Change host of pre-configured syslog or syslog-tls connections.
  • Go to Extensions -> Device Extension -> Audit Record Repository Device Extension -> Attributes.
    • (Optional) Verify Network Connection Reference reflects changed host.

Using LDAP

Once below configurations are complete, reload the configuration using archive UI Menu -> Configuration -> Control.

Archive Configurations

Either create an LDIF file e.g.,

    version: 1
    dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    changetype: modify
    add: dcmAuditPollingInterval
    dcmAuditPollingInterval: PT5M
    -
    
    dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    changetype: modify
    add: dcmAuditAggregateDuration
    dcmAuditAggregateDuration: PT1M
    -

    dn: dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    changetype: modify
    add: dcmAuditSpoolDirectory
    dcmAuditSpoolDirectory: ${jboss.server.data.dir}/audit-spool
    -

    dn: cn=Audit Logger,dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dcmAuditSourceTypeCode: 4
    dcmAuditRecordRepositoryDeviceReference: dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    objectClass: dcmAuditLogger
    dicomNetworkConnectionReference: cn=syslog,dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomNetworkConnectionReference: cn=syslog-tls,dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    cn: Audit Logger
    -

    dn: cn=syslog,dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomHostname: localhost
    objectClass: dicomNetworkConnection
    objectClass: dcmNetworkConnection
    dcmProtocol: SYSLOG_UDP
    dcmClientBindAddress: 0.0.0.0
    cn: syslog

    dn: cn=syslog-tls,dicomDeviceName=dcm4chee-arc,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomInstalled: FALSE
    dicomHostname: localhost
    objectClass: dicomNetworkConnection
    objectClass: dcmNetworkConnection
    dicomTLSCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA
    dicomTLSCipherSuite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    dcmProtocol: SYSLOG_TLS
    dcmClientBindAddress: 0.0.0.0
    cn: syslog-tls
    -

and import it to the LDAP Server by using the ldapmodify command line utility.

or use the Add Attribute... and Add Value... function of Apache Directory Studio to add attributes on Device level (e.g., dicomDeviceName=dcm4chee-arc).

Refer Archive Device, Audit Logger and Network Connection to understand the description of attributes.

Refer ISO-8601 Duration format for more know-how on Durations.

Keycloak Configurations

Required only for secured archive, i.e. either or both archive UI and REST services is secured. Either create an LDIF file e.g.,

    version: 1

    dn: cn=Audit Logger,dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dcmAuditSourceTypeCode: 4
    dcmAuditRecordRepositoryDeviceReference: dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    objectClass: dcmAuditLogger
    dicomNetworkConnectionReference: cn=syslog,dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomNetworkConnectionReference: cn=syslog-tls,dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    cn: Audit Logger
    -

    dn: cn=syslog,dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomHostname: localhost
    objectClass: dicomNetworkConnection
    objectClass: dcmNetworkConnection
    dcmProtocol: SYSLOG_UDP
    dcmClientBindAddress: 0.0.0.0
    cn: syslog

    dn: cn=syslog-tls,dicomDeviceName=keycloak,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomInstalled: FALSE
    dicomHostname: localhost
    objectClass: dicomNetworkConnection
    objectClass: dcmNetworkConnection
    dicomTLSCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA
    dicomTLSCipherSuite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    dcmProtocol: SYSLOG_TLS
    dcmClientBindAddress: 0.0.0.0
    cn: syslog-tls
    -

and import it to the LDAP Server by using the ldapmodify command line utility.

or use the Add Attribute... and Add Value... function of Apache Directory Studio to add attributes on Device level (e.g., dicomDeviceName=dcm4chee-arc).

Refer Audit Logger and Network Connection to understand the description of attributes.

Logstash Configurations

Either create an LDIF file e.g.,

    version: 1

    dn: dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    objectClass: dcmDevice
    objectClass: dicomDevice
    dicomDeviceName: logstash
    dicomInstalled: TRUE
    dicomPrimaryDeviceType: LOG

    dn: cn=syslog,dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    objectClass: dcmNetworkConnection
    objectClass: dicomNetworkConnection
    dicomHostname: localhost
    cn: syslog
    dcmProtocol: SYSLOG_UDP
    dicomPort: 514

    dn: cn=syslog-tls,dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomInstalled: FALSE
    dicomHostname: localhost
    dicomPort: 6514
    objectClass: dicomNetworkConnection
    objectClass: dcmNetworkConnection
    dicomTLSCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA
    dicomTLSCipherSuite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    dcmProtocol: SYSLOG_TLS
    cn: syslog-tls

    dn: cn=Audit Record Repository,dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    objectClass: dcmAuditRecordRepository
    cn: Audit Record Repository
    dicomNetworkConnectionReference: cn=syslog,dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    dicomNetworkConnectionReference: cn=syslog-tls,dicomDeviceName=logstash,cn=Devices,cn=DICOM Configuration,dc=dcm4che,dc=org
    -

and import it to the LDAP Server by using the ldapmodify command line utility.

or use the Add Attribute... and Add Value... function of Apache Directory Studio to add attributes on Device level (e.g., dicomDeviceName=logstash).

Refer Device to understand the description of attributes.

Tests and Verification

  • Start syslogd tool.
  • Test one of the Audit Trail Profiles.
  • Once the configured Audit Polling Interval is reached, verify the audit message sent in XML format to syslogd tool.
⚠️ **GitHub.com Fallback** ⚠️